Many web services provided over the Internet require a user to set up an account in order to fully utilize the web service. Users usually provide personal information to set up these web service accounts. To protect a user's personal information and use of the web service, most services institute security measures to prevent unauthorized access to a user's account.
Web services provide security in different ways to protect user information and use of their accounts. Some web service web sites provide user authentication by storing authentication information in a separate browser cookie file on the hard drive of a client device. In cookie-based authentication web services, the authentication information is accessed from one or more cookies at the client and sent to the web service whenever a request is made to the web service. The server receives the request, analyzes the authentication information and provides a response. If the authentication information retrieved from the cookie is validated (for example, the cookie authentication information matches server generated authentication information), a server generated response will include the requested content. If the authentication information is not validated by the server, the requested content is not provided.
Cookie-based authentication does not always protect the security of a user making a request. In some cases, an “attack” may use the authentication cookies to make a request on behalf of a user without the user's consent. For example, a user may receive an email through a web-based email service. The received email may contain an attachment. The attachment may include JavaScript code inserted by an attacker. When the user accesses her account and opens the email attachment through a browser application, the application may automatically execute the JavaScript. Execution of the JavaScript code may cause a message to be sent on behalf of the user. Thus, an attacker may send an email having an attachment to a user. When executed, the attachment sends an email that appears to be from the user's email account. This may allow attackers to send email, such as spam, to recipients from an email account other than their own.
In another case, two or more users at separate computing machines may communicate over a network from behind a proxy server. The proxy server may mistakenly provide personal data for one user to another user. For this to occur, a first user sends a request to a server through the proxy. The request may be associated with user account information associated with a service provided by the server. For example, the first user may request to see an email inbox content page for his email service account. The proxy may send the request, retrieve the response, cache the response, and provide the response to the first user. Subsequently, a second user may make the same request to the server, but for his own account information. After receiving the second user's request, the proxy may recognize that data associated with the request is currently cached (actually, the first user's data is cached). In response, rather than send the request to the server, the proxy may access the cached data (associated with the first user) and provide the data to the second user. Thus, data associated with the first user is provided to the second user by the proxy.
Previous web service security mechanisms have weaknesses in protecting user information and use of a web service. It is valuable for a network service to identify whether requests are initiated by their owner and provide accurate data to a user whom requests content.